GPO blocking application traffic w/Firewall service stopped

[Seventh]

Hi folks. I wasn't sure which forum this belonged in, so apologies if this is the wrong place.

I'm working with a hardened Win7 x32 machine right now that's part of a domain that has a very strict (military) GPO set assigned to it. I have an application that sends unicast traffic on one machine, and an application that receives it on the other.

Before applying the GPO set, everything works as it should. The receiving application gets the traffic and all is well. As soon as I join the receiving machine to the domain and get the policies, the traffic stops working. Here's where it gets weird.

I am logged in as domain admin on both machines, and I CAN get unicast traffic out of the receiving machine to other hosts. I have the windows firewall service stopped on the receiving machine, and if I run a netstat I can see the ports open. Additionally, if I wireshark the NIC, I see the traffic from my originating box getting ot the receiving machine - it just doesn't make it to the application.

Short version:

- Computer sends traffic to My_Receiving_Machine
- Ports are open on My_Receiving_Machine, verified in netstat
- I see the traffic I'm sending to it on the NIC in Wireshark on My_Receiving_Machine
- Windows firewall service is stopped on My_Receiving_Machine
- Traffic does not get to application, regardless of port

I'm not the most familiar with GPO so I'm just going through them all right now hoping to stumble across it, but I'm hoping someone can save me a LOT of time and perhaps offer some guidance. The traffic I'm sending is UDP unicast, but it's the same for multicast - I see the traffic on the NIC, but it doesn't make it to the application. I am running the application itself under an administrative account as well.

Any suggestions would be very much appreciated. Thanks!

 

[fireberd]

I'm a retired Fed Gov LAN/WAN Network Manager. The department support/help desk for the application would be the best place to start. I know the agency I worked for routinely customized software for our agency's use and thus the department responsible for the software were the only ones that knew how it worked.

 

[Seventh]

Thanks. I'm working with an Air Force SDC image - I assume you're probably familiar with them then. I have tried calling the support help desk, and (no offense meant to any servicemen) I get connected with low level 2LTs whose roles are more along the lines of creating domain accounts and changing passwords, not high(ish) level GPO adjustment.

As it turns out, it's not that my WF service is stopped. It actually SAYS it's stopped in the services panel (logged in as the domain admin) but the service IS still running. This has lead me to a whole new level of what_the_hell_am_I_doing, haha.

Right now all I'm trying to do is allow a single application (we'll call it debug.exe) on a single port (udp 18999) through the FW. I've added the rules on the client, but looking at the firewall log it's still dropping the incoming packets.

In my GPO I have both "Allow local port exceptions" and "Allow local program exceptions" enabled. I've updated the client with the GPO, but it's still ignoring the local rule.

In Windows Firewall config on the client, I see a section under "Rule Merging", and there it says "Apply local firewall rules: No". I'm trying now to figure out how to change that at the GPO level, but not having much luck. Googling around, I found this:

Step 5: Adding the Setting that Prevents Local Administrators from Applying Conflicting Rules

Which says to use "Group Policy Management Editor", but when I look at my GPOs for my domain and edit one, I get Group Policy Object Editor, not Management. I can't figure out how to get to the "Management Editor" to try and make the change to allow local firewall rules. So if anyone knows where I go to adjust the GPO to set Apply Local Firewall Rules to Yes, that would be fantastic.

 

[fireberd]

I know nothing about the software you are using. I worked for SSA and we had our own internal network. The LAN's used Token Ring instead of Ethernet and Novell Netware file servers. Token ring (IBM) and what it does is totally different from the protocol you are using.

I was the Regional Network and hardware help desk manager in Kansas City, Mo. I had the entire mid west (everything west of the Mississippi to the Rocky Mountains). There are three levels of help desk support. Level 1, which you ran into, basically takes problem calls, gets the users information, and asks some basic questions such as "is your PC plugged in" or "is it powered up and on line", etc. Level 2 does more in depth troubleshooting and testing and can fix most problems, that do not require an on-site hardware tech. Finally there is the 3rd level which is the system analysts, programmers, etc.